Q. Why can't I just use one line of shell to do what md5deep does?
A.
A. Because md5deep does more than just compute hashes. Yes, it's possible to recursively compute MD5 hashes with existing commands:
$ find /usr -type f -exec md5sum '{}' \;
There is no single line of shell code that can use a set of known
hashes to search for files that do or do not match any of the known hashes.
For example, here are the
positive matches from a set of known malware to files in the /usr
directory. Note the rootkit we find:
$ md5deep -r malware-samples/* > known.txt $ md5deep -wrm known.txt /usr /usr/bin/.../ls matches /home/jessek/malware-samples/foo-rootkit/trojan-ls
A. Sort of. There have been a number of collision attacks against the algorithm. It's now possible for a bad guy to generate two different 128 byte blocks that have the same MD5 hash.
Note that a bad guy can't (currently) create a new file that matches the hash of an existing file. This kind of attack, called a preimage attack, will be the absolute end of the algorithm.
The easiest method for getting md5deep to work on Microsoft Windows is to use the precompiled binaries available on the project web page, http://md5deep.sourceforge.net/.
The developer uses a MinGW cross compiler to create these Win32 binaries from either Linux or OS X. You can get more information on how to set up your own cross compiler from the MinGW wiki page on BuildMingwCross. After you have a cross compiler installed, you can configure and build the programs using
$ ./configure --host=mingw32
You can use Cygwin to build and install the programs, but this will create a Cygwin version of the tools. Remember that because Cygwin is a kind of *nix, it must be built with the *nix style configuration:
$ ./configure
The following option is not supported, but may allow you compile a Windows binary that is not Cygwin dependent. From the MinGW FAQ, How do I use MinGW with Cygwin?:
Simply install Cygwin and the MinGW distribution in seperate directories (i.e. "C:\CYGWIN" and "C:\MINGW"), and make sure that the "/bin" subdirectory beneath your MinGW installation comes before Cygwin's "/bin" subdirectory in your PATH environment variable (i.e. "PATH=%PATH%;C:\MINGW\BIN;C:\CYGWIN\BIN"). This will allow you access to all the UNIX tools you want, while ensuring that the instance of GCC used is the MinGW version.
A. This is usually happens to Microsoft Windows users. md5deep is a
command line program and does not work by double clicking on it.
To run the program you must open a command prompt. Go to the "Start"
menu and choose "Run". In the dialog box, type cmd and
hit enter. When the command prompt comes up, change to the directory
where you have decompressed the md5deep archive. For example:
C:\> cd e:\temp\md5deepYou can now run md5deep using this command window as described in the Getting Started guide.
A.